Deciphering the PHP-Nuke Capthca

2008.04.30
Risk: Low
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

The Capthca used in the current version 8.1 of PHP Nuke can be deciphered with 100% accuracy. more information can be found her: http://www.rooksecurity.com/blog/?p=6 Exploit Code: http://www.rooksecurity.com/exploits/php_nuke_captcha.zip What is so interesting about this captcha is that it is incredibly wide spread. Variants of this captcha are being used by big names like Paypal. This particular captcha is used for the forgotten password feature. There are few differences between this captcha and the one i broke. For one the background is a different image. The captcha is also using alpha-numeric which would mean 36^5 = 60466176 possibilities My attack against PHP-Nuke is taking advantage of the fact that there are only 10^6 or a 1,000,000 possible combinations of this captcha. It only takes a few minuets to calculate all possibilities. I am storing the results in as a md5 hash in a SQL database for speed. The entire SQL table needed to crack this captcha with 100% accuracy takes up less than 43 megabytes. After the table is generated it take only a few seconds to crack a captcha. This is a time-memory trade off very similar to Rainbow Crack. Let me be very clear that I am not relying on MD5 for security and in fact a faster and much less secure message digest function like Tiger is better suited for this task. MD5 is being used as an attack tool because it saves a lot of space and time verses storing the entire image in the database. I created this list manually making sure that I checked the latest version. This is by no means a complete list. PHP-Nuke v8.1 FINAL http://phpnuke.org/ ./html/mainfile.php starting on line 1574 PHP-Nuke v7.0 download: http://sourceforge.net/project/showfiles.php?group_id=7511&package_id=76 22&release_id=213152 in: ./html/admin.php line 111 in funciton gfx() and: ./modules/Your_Account/index.php line 489 in funciton gfx() 123tkshop v0.9.1 download: http://sourceforge.net/project/showfiles.php?group_id=41061 file: admin.php line: 142 function gfx($random_num) phpMyBitTorrent v1.2.2 Download: http://sourceforge.net/project/showfiles.php?group_id=129993&package_id= 142566&release_id=522280 file: ./html/gfxgen.php (the entire file) torrentflux v 2.3 download: http://sourceforge.net/project/showfiles.php?group_id=123961 file: ./html/login.php starting on line 40 e107 V0.7.11 download: http://sourceforge.net/project/showfiles.php?group_id=63748&package_id=6 0754&release_id=565243 This one is a bit spread out, but the actual vulnerable captcha is being created on line 147 in: ./e107_handlers/secure_img_render.php webze v 0.5.9 Download: http://sourceforge.net/project/showfiles.php?group_id=88820 ./index.php about line 92 Opendb v 1.5.0b4 download: http://sourceforge.net/project/showfiles.php?group_id=37089&package_id=2 9402&release_id=573315 in ./functions/secretimage.php in the function secretimage() starting on line 35 Labgab v1.1 download: http://sourceforge.net/project/showfiles.php?group_id=173453 ./core/code.php starting on line 31


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top